New Single-Trace Side-Channel Attacks on a Specific Class of Elgamal Cryptosystem

New Single-Trace Side-Channel Attacks on a

Specific Class of Elgamal Cryptosystem

Parinaz Mahdion, Hadi Soleimany, Pouya Habibi, Farokhlagha Moazami

Cyberspace Research Institute, Shahid Beheshti University

Abstract. In 2005, Yen et al. proposed the firstN−1 attack on the mod-ular exponentiation algorithms such as BRIP and square-and-multiply-always methods. This attack makes use of the ciphertextN−1 as a distin-guisher of low order to obtain a strong relation between side-channel leak-ages and secret exponent. The so-calledN−1 attack is one of the most important order-2 element attacks, as it requires a non-adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation againstN−1 attack, several literatures propose the simplest solution, i.e. “block the special message N−1”. In this paper, we conduct an in-depth research on theN−1 attack based on the square-and-multiply-always (SMA) and Montgomery Ladder (ML) algorithms. We show that despite the unaccepted ciphertextN−1 countermeasure, other types of N−1 attacks is applicable to specific classes of Elgamal cryptosystems. We propose new chosen-message power-analysis attacks with order-4 ele-ments which utilize a chosen ciphertextcsuch thatc2_{=−1 modpwhere} pis the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply whenp≡1 mod 4. We demonstrate that ML and SMA algorithms are subjected to our newN−1-type attack by utiliz-ing a different ciphertext. We implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and our experiments validate the feasibility and effectiveness of the attacks by using only a single power trace.

Key words: Elgamal cryptosystem, Side-channel attacks, Montgomery Ladder, Square and Multiply Always,N−1 attack

1

Introduction

The implementation of cryptographic algorithms is a complicated and impor-tant process. Although most of the cryptographic primitives are mathematically secure, their unprotected implementations on embedded devices can pose se-rious threats by exploiting side-channel information leakages. This information

?_{“This paper is a postprint of a paper submitted to and accepted for publication in}

includes power consumption, electromagnetic radiation, system run times, acous-tic and etc. which are correlated with the secret values during data processing.

Power-analysis attacks are a powerful type of sichannel attack originally de-scribed by Kocher. This class of attacks has been applied successfully against the implementations of popular public-key cryptosystems RSA and Elgamal (13) which make use of exponentiation algorithms. The primary side-channel attacks against modular exponentiation algorithms rely on certain physical phenomena, which allows one to distinguish between multiplication and squaring operations (12). Messerges et al. proposed three types of power-analysis attacks against RSA with multiple random plaintexts(14). To mitigate these attacks, the im-plementations of modular exponentiation utilize a same sequence of instructions for multiplication and squaring operations, which makes it challenging to dif-ferentiate between these two operations for random input messages in practice (11). In response, various methods have been proposed that use the leak of sen-sitive information during the decryption process of chosen messages (18; 20; 16). In particular, several chosen-message attacks have been applied on public key encryption in (1; 2; 6; 8; 7; 9; 10; 11; 15; 19).

Simple power analysis (SPA) attacks on RSA implemented based on CRT mode with adaptively chosen messages is proposed by Novak(16). Furthermore, a dif-ferential power analysis (DPA) attack based on the Hamming weight of an in-termediate value was applied to RSA in the CRT mode (3). ”Doubling attack” is another type of the chosen-message attack in which the attacker can retrieve the secret exponent by generating a collision between the corresponding power traces of the two related messages X andX2_(5).

However, the DPA attack proposed in (3) cannot be applied to the Montgomery Ladder exponentiation algorithm. In addition, methods like inserting dummy operations may defeat the aforementioned attacks, since these attacks require more than one power trace. Single-trace side-channel attacks, which utilize a single measurement are more devastating than other types of power-analysis at-tacks which make use of several measurements and can be mitigated by methods like utilizing dummy operations.

The order-2 ciphertext is known asN−1 whereN is a modulus in RSA or El-gamal cryptosystems. The inputN−1 generates internal collisions in the state of the modular exponentiation which make it possible to distinguish between squaring and multiplying operations in one power trace. The N −1 order-2 attack can be applied to the left-to-right square-multiply-always and BRIP al-gorithms. Further research on theN−1 order-2 attacks was performed by Ding et al.(4) who proposed to utilize new order-2 ciphertexts that are applicable to Boscher’s right-to-left exponentiation algorithm. Furthermore, they found out that the Montgomery Powering Ladder is subjected to theN−1 order-2 attack. Several researches have been dedicated to protect the implementation of expo-nentiation functions against side-channel attacks. However, a strong counter-measure cannot be established for free. It has an impact on the latency, power consumption and size of the implementation. Consequently, simple countermea-sures in real-world applications are preferred as they utilize a small overhead, rather than complicated solutions with notable extra cost. In this direction, to protect the implementation against the N −1 order-2 attack, several articles propose the simplest solution, i.e. “block the special messageN−1”.

In this paper, we propose a new type of theN−1 low-order attack on a specific class of Elgamal which is implemented based on the square-and-multiply-always (SMA) or Montgomery Ladder (ML) exponentiation algorithms. In our attack, we utilize a an order-4 chosen ciphertextc such thatc2= (p−1) =−1 modp

where pis the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when p≡ 1 mod 4. Our attack demonstrates that SMA and ML algorithms cannot be defeated byN−1-type attacks even if the special message N −1 is blocked by the user. To evaluate the theoretical model, we implement the SMA and ML algorithms on an Atmel ATXMEGA128D4 8-bit microcontroller that is located on the TARGET Board of the ChipWhisperer CW1173 and applied the proposed attack on these algorithms. The experimental results show that our attack is applicable to these two algorithms by using only a single power trace.

The remainder of this paper is organized as follows: Section 2 gives an overview of previous works. Section 3 describes our new attack and how it works on SMA and ML algorithms. Section 4 presents our experimental results. Finally, Section 5 summarizes the paper and suggests further research.

2

Previous Comparative Power Analysis Attacks

consumption traces to be similar if the pair values (a, b) and (c, d) are (almost) equal (a = c, b = d). Similarly, it is to be expected to have dissimilar power consumption traces if unequal values with different size are used. In this section we briefly review the previous comparative power analysis attacks.

2.1 Doubling attack

In Doubling attack, it is assumed that the attacker has access to the two power consumption traces corresponding to the decryption of two related messagesX1

and X2. The related messages should be selected smartly to cause collisions

between their power traces at some time frames. The exact locations of such col-lisions in the power traces can be used to retrieve the secret exponent. Doubling attacks can be applied to different exponentiation algorithms. In what follows, we describe the basic idea of the attack presented on the left-to-right SMA ex-ponentiation algorithm that is described in Algorithm 1. To reveal the secret exponent, the adversary uses two related inputsX modN andX2 _{modN to}

make a collision between the corresponding power consumption traces. Accord-ing to Algorithm 1, when the i−thbit of the exponent equals to 0 a collision is generated between the squaring operation at the (i−1)−thandi−thcycle in the power trace ofX andX2_{, respectively. Figure 1 shows this verity for the}

secret exponent of ”101001...”.

Algorithm 1 Left-to-Right Square and Multiply Exponentiation

Require: c,D= (dl−1, ..., d1, d0)2,p. Ensure: m=cDmodp.

1: m←1

2: fori=l−1 downto 0 do 3: m←m×mmodp . S 4: if di= 1then

5: m←m×cmodp . M 6: end if

7: end for 8: return m

2.2 N −1 Attack on SMA Algorithm

In this section, we describe a side-channel attack that makes use of a specific order-2 ciphertext N −1 to generate internal collisions in a single trace. This attack is based on the observation that (n−1)j _{modnequals to n−1 and 1}

whenj is odd and even, respectively. This observation is used in (23) to attack the square-and-multiply-always exponentiation algorithm which is described in Algorithm 2.

Fig. 1: Doubling attack(11).

– With the assumption thatdi−1= 0, the input intermediated valuemequals

to 1. Consequently, the square operation is computed asSi : m = 12 = 1

modn in the i-th iteration. Then the multiply operation is performed as

Mi:t= 1×(N−1).

– With the assumption thatdi−1= 1, the input intermediated valuemequals

to N −1. Consequently, the square operation is computed as Si : m =

(N−1)2_{= 1 modnin thei-th iteration. After that the multiply operation}

is performed asMi:t= 1×(N−1).

As a result, the SM-sequence resulting from the computation of the SMA ex-ponentiation contains two types of squaring operations, which creates a type of side-channel leakage that depends on the (secret) exponent. The squaring opera-tion in each iteraopera-tion is either 12(whendi−1= 0) or (N−1)2(whendi−1= 0), in

which it is expected the corresponding power consumption traces to be different. This fact allows the attacker to distinguish between performing 12and (N−1)2 and consequently it is possible to recover the secret key. Figure 2 demonstrates an attack on SMA exponentiation.

Algorithm 2 Square-and-multiply-always (SMA) Exponentiation

Require: c,d= (dl−1...d0)2,p. Ensure: m=cdmodp.

1: m←1

2: fori=l−1 downto 0 do 3: m←m2 modp . Si

4: t←m×cmodp . Mi

5: if di= 1then

Fig. 2: (N−1) attack on Square and Multiply Always(4).

Fig. 3: New attacks on Boscher’s Right-to-left (4).

2.3 Further research on N−1 attack

Ding et al.(4) presented an in-depth study on the N −1 order-2 attack. They carried out new types of N −1 attacks on Boscher’s right-to-left binary ex-ponentiation algorithm (Algorithm 3) by utilizing two new low-order chosen ciphertexts 1 and N + 1. They also investigated the N −1 order-2 attack on the Montgomery Powering Ladder algorithm (Algorithm 4). In the following, we describe a summary of their work on both of the algorithms.

2.3.1 Boscher’s Right-to-left Exponentiation Algorithm

In this section we describe a variant ofN−1 order-2 attack on the Boscher’s right-to-left binary exponentiation algorithm. With the assumption thatR2= 1 in the

the first or second iteration, the values of registerR0 andR1remain unchanged

during the execution of Algorithm 3. Therefore, the multiply operation (M) in line 6, performs as follows:

– Ifdi= 0: R1=R1×1 modn=r−1×1 modn.

– Ifdi= 1: R0=R0×1 modn=r×1 modn.

By distinguishing between twoM operations (r−1_{×1) modnand (r×1) modn}

via the side-channel leakage, the adversary can recover the secret key bit by bit. Considering the fact that register R2 in Algorithm 3 is the input message

(ci-phertext), there exist two methods for setting the value of registerR2 to 1. The

first method is to set the ciphertext to a value of 1. The second method is to select the value ofR2 such thatR22 modn= 1. Therefore, if the attacker

con-siders (n−1) or (n+ 1) as the ciphertext, the value of registerR2becomes equal

to 1 ((n−1)2_{modn= 1 and (n+ 1)}2_{modn= 1) after the first iteration.}

Algorithm 3 Boscher’s Right-to-left Exponentiation (Boscher)

Require: c,n,dl−1...d0)2.

Ensure: m=cd_{modnor ”Error”.}

1: chose a random integerr 2: R0←r

3: R1←r−1modn 4: R2←c

5: fori= 0 tol−1do

6: R1−di←R1−di×R2modn . Mi

7: R2←R2×R2modn . Si

8: end for

9: if R0×R1×c=R2 then 10: return r−1×R0modn 11: else

12: return ”Error” 13: end if

2.3.2 Montgomery Powering Ladder Algorithm

In the Montgomery Powering Ladder (MPL) algorithm, the square operation in the (i−1)-th iteration (Si−1) depends directly on the relation between two

consecutive secret exponent bitsdianddi−1. Fordi =di−1, the output ofSiand

the input of Si−1 are the same (OSi =ISi−1). Conversely, for di 6=di−1, the

output ofMiand the input ofSi−1are equal (OMi=ISi−1). For the ciphertext

(n−1) as the input of MPL algorithm, the outputs of M and S operations remain always (n−1) and 1, respectively. Therefore, the attacker can find the relation between the two consecutive secret exponent bitsdianddi−1, as follows:

– Ifdi =di−1 (OSi = ISi−1 = 1 modn): the squaring operationSi−1

per-forms (1×1) modn.

– Ifdi 6=di−1 (OMi=ISi−1= (n−1) modn): the squaring operationSi−1

performs ((n−1)×(n−1)) modn.

Figure 4 illustrates an example of the described attack on MPL exponentiation algorithm.

Algorithm 4 Montgomery Powering Ladder (MPL)

Require: c,n,d= (dldl−1...d0)2 (dl= 1).

Ensure: m=cd_modn.

1: R0←c

2: R1←R0×R0modn 3: fori=l−1 downto 0 do

4: R1−di←Rdi×R1−dimodn . Mi

5: Rdi←Rdi×Rdimodn . Si

Fig. 4: (N−1) attack on Montgomery Powering Ladder (4).

3

New Attacks

An efficient and simple countermeasure to prevent theN−1 order-2 attack on RSA and Elgamal is to block the ciphertext N−1 for the decryption (10). In this section, by demonstrating attacks based on another low-order ciphertext we show this simple countermeasure cannot defeat a specific class of an Elgamal cryptosystem. Our basic idea is similar to the originalN−1 attack. We select a an order-4 ciphertext that enhances the differences between operations performed during the modular exponentiation algorithms according to the bit pattern of the secret key. We utilize a low-order chosen messagecsuch thatc2= (p−1) =

−1 modp. In what follows, we first explain how a an order-4 ciphertextccan be found such that c2_{= (p−1) =−1 modp. After that, we show how the desired}

ciphertextccan be utilized o apply a single-trace side-channel attack on Square and Multiply Always (SMA) and Montgomery Ladder (ML) algorithms.

3.1 Generating the Desired Ciphertext

Our chosen-message side-channel attacks are based on the decryption of a an order-4 chosen ciphertext c such thatc2 _{= (p−1) = −1 modpwhere pis the}

prime number used as a modulus in Elgamal. In this section, we show that such a ciphertext can be found in practice whenp≡1 mod 4 by using Little Fermat Theorem.

Little Fermat Theorem: If p is a prime number and a is any number not divisible by p, then

a(p−1)modp= 1.

Based on the Little Fermat Theorem, we can concludeap−21 =±1 modpwhere

ais an integer not divisible byp. In mathematics, ifap−21 = 1 modp,ais called

a quadratic residue mod pand if ap−21 = −1 mod p, a is called a nonresidue

mod p. Let a be a nonresidue mod p so ap−21 = (p−1) = −1 modp, when

p= 4k+ 1, we have

ap−21 =a 4k+1−1

2 =a 4k

2 =a2k = (ak)2modp.

Letak_{=c, therefore we havec}2_{=−1 = (p−1) modpandc is the appropriate}

Table 1: Summery of our attack on SMA Algorithm

di Multiplication in (i−1)-th iteration

0 (1×c) modp(has short trace) 1 ((p−1)×c) modp(has long trace)

3.2 Attack on Square and Multiply Always Algorithm

One of the efficient algorithms for modular exponentiation is the Square and Multiply Always algorithm (SMA). Algorithm 2 illustrates an implementation of the SMA algorithm. In this section, we describe an attack that uses only one chosen ciphertext and is able to extract the secret key by one power consumption trace. By crafting a suitable order-4 ciphertextc such thatc2_{= (p−1) modp,}

the output of squaring (line 3 of Algorithm 2) is always 1 or (p−1). These values inter as input of the multiplication operation (line 4). Consequently, the output of multiplication operation (line 4) is eithercor (p−c). Hence, when the bit of the secret key is 1 then the input of the squaring operation is eithercor (p−c) and when the bit of the secret key is 0 then the the input of squaring operation is either 1 or (p−1). By these observations, the bits of the secret key can be retrieved as follows.

– Ifdi= 1, the input of the multiplication operation at the (i−1)-th iteration

is either c or (p−c). In both cases, the multiplication operation performs ((p−1)×c) modp.

– Ifdi= 0, the input of the multiplication operation at the (i−1)-th iteration

is either 1 or (p−1). In both cases, the multiplication operation performs (1×c) modp.

In summary, as described above, the results of running Algorithm 2 on inputc

can be represented as Table 1.

Since (p−1) is a large random-looking number in comparison to the value of 1, we expect that the differences in the patterns of two multiply operations ((p−1)×c) modpand (1×c) modp. These differences can be easily perceived in a single power consumption trace by visual observation.

3.3 Attack on Montgomery Ladder Algorithm

Another popular algorithm for modular exponentiation is the Montgomery Lad-der algorithm (ML) which is demonstrated in Algorithm 5. In thei-th iteration of the algorithm, both squaring and multiply operations perform independent of the valuedi.

Let us assume that the ciphertext c is given as an order-4 input to the ML algorithm such thatc2_{= (p−1) =−1 modp. We show that how decryption ofc}

can reveal a relation between two consecutive secret exponent bitsdi anddi−1.

Algorithm 5 Montgomery Ladder (ML) Exponentiation

Require: c,n,d= (dldl−1...d0)2 (dl= 1).

Ensure: m=cd_modn.

1: R0←c

2: R1←R0×R0modn 3: fori=l−1 downto 0 do 4: R1−di←R0×R1modn . Mi

5: Rdi←Rdi×Rdimodn . Si

6: end for 7: return R0

Observation 1 During the execution of the modular exponentiation ML algo-rithm with the basecwherec2_{= (p−1) =−1 modp, the intermediate variables}

R0 andR1 always get one of the valuesc,(p−c),1 and(p−1).

Observation 1 follows from the fact that the the multiplicative order ofc modp

is 4. Consequently, the intermediate variables R0 andR1 always get one of the

valuesc,c2_{=−1 modp,c}3_{= (p−c) modp,c}4_{= (−1)}2_{= 1 modp.}

Observation 2 During the execution of the modular exponentiation ML algo-rithm with the base c wherec2_{= (p−1) modp, only four cases are possible to}

be performed in the multiply operationMi :R0×R1(line 4 in Algorithm 5). The

possible squaring operations which can be performed are: (1×c), ((p−1)×(p−c)), (c×(p−1)) and ((p−c)×1).

Observation 2 follows from the possible values for the variablesR0 andR1

pre-sented in Observation 1.

Observation 3 During the execution of the modular exponentiation ML algo-rithm with the basecwherec2= (p−1) modp, only four cases are possible to be performed in the squaring operationSi :Rdi×Rdi (line 5 in Algorithm 5). The

possible multiplications which can be performed are: (1×1), ((p−1)×(p−1) = 1 modp), (c×c) and ((p−c)×(p−c)).

Similarly, Observation 3 follows from the possible values for the variablesR0and

R1 presented in Observation 1.

By considering Observation 2 and Observation 3, we categorize the executed operations for all of the modes di −→ di−1 (0 ≤i ≤l−1) as Table 2 where

Mi−1 and Si−1 denote multiplication and squaring operations at the (i−1)-th

iteration, respectively.

While the above relation can be utilized for mounting a side-channel attack, a more precise analysis of information presented in Table 2 reveals that the mod-ular squaring operation can be exploited solely to identify the secret exponent bits. When two consecutive secret exponent bitsdi anddi−1 are equal to each

other, the performed squaring operation is either (1×1) or ((p−1)×(p−1)). Conversely, when two consecutive secret exponent bitsdianddi−1are not equal,

Table 2: The executed operations for all of the modesdi −→di−1

di−→di−1

( Mi−1 Si−1

1−→1

(

c×(p−1)

(p−1)×(p−1) or (

(p−c)×1 1×1

0−→0

(

(p−1)×(p−c) (p−1)×(p−1) or

( 1×c 1×1

1−→0

(

(p−c)×1

(p−c)×(p−c) or (

c×(p−1) c×c

0−→1

(

(p−1)×(p−c) (p−c)×(p−c) or

( 1×c c×c

Table 3: Distinguishing the secret exponent bits on ML Algorithm

di−→di−1 Si−1

di=di−1 ( 1×1) or ((p−1)×(p−1)) modp di6=di−1 (c×c) or ((p−c)×(p−c)) modp

4

Experimental Verification

In this section, we discuss the practicality of the low-order proposed attacks in Section 3. To verify the theoretical model, we implemented SMA and ML algo-rithms on an Atmel ATXMEGA128D4 8-bit micro-controller that was located on the TARGET Board of the ChipWhisperer CW1173 (17). In order to conduct our attacks, we carried out two phases. In the first phase, we measured and save a single power consumption trace via the CAPTURE Board of the ChipWhis-perer, while the TARGET Board is executing the decryption algorithm for the order-4 ciphertext c such thatc2 = (p−1) =−1 modp. In the second phase, we exploited the simple analysis of the power consumption trace to recover the secret exponent bits.

In the remainder of this section, we first present a preliminary experiment that we have performed to validate the proposed attack on an SMA algorithm. After that, we present a concrete experiment to attack the ML algorithm through a single power consumption trace captured from a real device.

4.1 Experimental results on Square and Multiply Always Algorithm

We sent the order-4 ciphertext c such that c2 _{= −1 mod p to Algorithm 2}

for the decryption process and measure the power consumption. Figure 5 il-lustrates the captured trace during the execution of the SMA exponentiation algorithm with the base c (such that c2 _{= −1 modp) and the exponent with}

sim-Fig. 5: Experimental results on SMA algorithm

ply possible to distinguish between the multiplications and the squaring op-erations. In order to obtain a clean and more readable figure, we illustrate the measured power consumption trace T by a sequence of subtraces T =

{(TS, TM)l−1,(TS, TM)l−2, ...,(TS, TM)1,(TS, TM)0} in whichTS andTM

corre-spond to squaring and multiply operations, respectively. The squaring operation is marked byS and the multiplication operation is marked byM which are also separated by vertical dot lines in Figure 5.

The proposed attack in Section 3.2 is based on the expectation of an observable difference between two multiply operations ((p−1)×c) modpand (1×c) modpin a single power consumption trace. Consequently, we consider onlyTM subtraces

that correspond to the mutliply operations:TM ={TMl−1, TMl−2, ..., TM1, TM0}.

The differences in the patterns of power consumption between the multiplications (1×c) modp and ((p−1)×c) modp is extremely robust and can be easily distinguished by visual observation. In Figure 5, the corresponding pattern of the multiply operation (1×c) modpdenoted byM0 has a significantly lower and shorter power consumption subtrace in comparison to the corresponding pattern of the multiply operation ((p−1)×c) modpdenoted by M1. This observation conforms to our expectation, since (p−1) is a large random-looking number in comparison to the value of 1. Finally, we can recover each exponent bit directly by visual observation of the power consumption trace.

4.2 Experimental results on Montgomery Ladder Algorithm

We first briefly recall the main observation that is used in the proposed attack on ML algorithm in Section 3.3. In the process of decrypting the order-4 ciphertext

c such that c2 = (p−1) modp the performed squaring operation in the i-th iteration can be classified into two main classes depending on the two consecutive secret exponent bitsdi anddi−1 as follows:

– di =di−1: the performed squaring operation is either (1×1) or ((p−1)×

(p−1)).

– di 6=di−1: the performed squaring operation is either (c×c) or ((p−c)×

Fig. 6: Attack on ML algorithm by utilizing the ciphertext c such that c2 ₌ −1 modp

To assess the practicability of exploiting the leakage that depends on the (secret) exponent in a realistic case, we decrypted the ciphertextcsuch thatc2_{= (p−1) =} −1 modpby using Algorithm 5 in which the first bits of the key are (111010)2

and measured the corresponding power consumption. Figure 6 illustrates the captured trace.

Similar to the previous experiment presented in Section 4.1, a simple comparison is sufficient to distinguish between the multiplication and squaring operations. We illustrate the measured power consumption trace by a sequence of subtraces

T = {(TM, TS)l−1,(TM, TS)l−2, ...,(TM, TS)1,(TM, TS)0} in which TM and TS

correspond to multiply and squaring operations, respectively. Multiplication op-eration is marked byM and squaring operation is marked byS which are also separated by vertical dot lines in Figure 6. However, in order to perform the proposed attack in Section 3.3 on ML algorithm, one should also be able to distinguish between the four aforementioned squaring operations. Unlike SMA Algorithm, it is difficult to determine the actual squaring operation based on the simple observation of the corresponding subtrace. Instead, we can use the template technique to overcome this challenge. A template attack consists of two phases. In the first phase, the characterization takes place. In the second phase, we perform a template matching to determine the actual input values of the squaring operations in the decryption process.

In our experience, the squaring operations (1×1) modp, ((p−1)×(p−1)) mod

p, (c×c) modp and ((p−c)×(p−c)) modp have different patterns. These patterns can be simply used in the matching phase to recognize the actual value used in the squaring operations. In Figure 6, we denote the squaring operations (1×1) modp, ((p−1)×(p−1)) modp, (c×c) modp and ((p−c)×(p−

5

Conclusion

In this paper, we proposed a new low-order chosen ciphertext attack on Elgamal implementations using Square and Multiply Always (SMA) and Montgomery Ladder (ML) algorithms. We exploited the leakage of power consumption during the decryption execution of a specific order-2 ciphertextcsuch thatc2_{= (p−1) =} −1 modp, wherepis the prime module in Elgamal cryptosystem. We show that such a ciphertext exists for a special case ofpwherep mod 4 = 1.

To verify the existence of the leakage that depends on the secret exponent, we provided a concrete experimentation of our attack. The experimental results con-firm the practicability of the proposed attack on both SMA and ML algorithms by utilizing the power measurement of only one single decryption.

One natural direction for further research is to develop a similar attack for ap-plying on the other modular exponentiation algorithms. As another direction, one can attempt to pursue reusing the presented idea for elliptic-curve cryp-tosystems.

In this paper, we take another step towards the generalization of the so-called

N−1 low-order attack by utilizing a specific order-4 ciphertextc such thatc2

modp= (p−1). It remains to be studied whether or not other types of ciphertext with propertyc` <sub>modp= (p−1) with small values of`can be utilized to apply</sub>

new attacks against Elgamal cryptosystem in practice.

Bibliography

[1] Clavier, C., Feix, B.: ‘Updated recommendations for blinded exponentiation vs. single trace analysis’. In COSADE 2013, 2013, pp. 80–98.

[2] Courr`ege, G.C., Feix, B., and Roussellet, M.: ‘Simple power analysis on exponentiation revisited’.In CARDIS 2010, 2010, pp. 65–79.

[3] Boe, B.D., Lemke, k., Wicke, G.: ‘A DPA attack against the modular reduc-tion within a CRT implementareduc-tion of RSA’. In CHES 2002, 2002, pp. 228–243. [4] Ding, Z., Guo, W., Su, L., Wei, J., Gu, H.: ‘Further research on N-1 attack

against exponentiation algorithms’. In ACISP 2014, 2014, pp. 162–175. [5] Fouque, P.A., Valette, F.: ‘The doubling attack - Why Upwards Is Better

than Downwards’. In CHES 2003, 2003, pp. 269–280.

[6] Genkin, D., Pachmanov, L., Pipman, P., Tromer, E.:‘Stealing keys from pcs using a radio: Cheap electromagnetic attacks on windowed exponentiation’. In CHES 2015, 2015, pp. 207–228.

[7] Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: ‘ECDH key-extraction via low-bandwidth electromagnetic attacks on pcs’. In CT-RSA 2016, 2016, pp. 219–235.

[8] Genkin, D., Pipman, I., Tromer, E.: ‘Get your hands off my laptop: Physical side-channel key-extraction attacks on pcs’. In CHES 2014, 2014, pp. 242–260. [9] Genkin, D., Shamir, A., Tromer, E.: ‘RSA key extraction via low-bandwidth

acoustic cryptanalysis’. IACR Cryptology ePrint Archive, 2013.

[10] Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: ‘Collision-based power analysis of modular exponentiation using chosen-message pairs’. In CHES 2008, 2008, pp. 15–29.

[11] Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir. A.: ‘Comparative power analysis of modular exponentiation algorithms’. IEEE Trans. Comput-ers, 2010, 59(6):pp. 795–807.

[12] Kocher, P.C.: ‘Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems’. In CRYPTO 1996, 1996, pp. 104–113.

[13] Kocher, P.C., Jaffe, J., Jun, B.: ‘Differential power analysis’. In CRYPTO 1999, 1999, pp. 388–397.

[14] Messerges, T.S., Dabbish, E.A., Sloan, R.H.: ‘Power analysis attacks of mod-ular exponentiation in smart cards’. In CHES 1999, 1999, pp. 144–157. [15] Miyamoto, A., Homma, N., Aoki, T., Satoh,A.: ‘Enhanced power

analy-sis attack using chosen message against RSA hardware implementations’. In ISCAS 2008, 2008, pp. 3282–3285.

[16] Novak, R.: ‘Spa-based adaptive chosen-ciphertext attack on RSA implemen-tation’. In PKC 2002, 2002, pp. 252–262.

[17] O’Flynn, C., Chen, Z.D.: ‘Chipwhisperer: An opensource platform for hard-ware embedded security research’. In COSADE 2015, 2015, pp. 243–260. [18] Schindler, W.: ‘A timing attack against RSA with the chinese remainder

[19] Schindler, W.: ‘Exclusive exponent blinding may not suffice to prevent tim-ing attacks on RSA’. In CHES 2015, 2015, pp. 229–247.

[20] Walter, C.D., Thompson, S.: ‘Distinguishing exponent digits by observing modular subtractions’. In CT-RSA 2001, 2001, pp. 192–207.

[21] Yen, S.M., Joye, M.: ‘Checking before output may not be enough against fault-based cryptanalysis’. IEEE Trans. Computers, 2002, 49(9):, pp. 967–970. [22] Yen, S.M., Ko, L.C., Moon, S.J., Ha, J.C.: ‘Relative doubling attack against

montgomery ladder’. In ICISC 2005, 2005, pp. 117–128.

[23] Yen, S.m., Lien, W.C., Moon, S.J., Ha, J.C.: ‘Power analysis by exploiting chosen message and internal collisions - vulnerability of checking mechanism for rsa-decryption’. In Mycrypt 2005, 2005, pp. 183–195.

[24] Fan, J., Gierlichs, B., and Vercauteren, F.: ‘To Infinity and Beyond: Com-bined Attack on ECC Using Points of Low Order’. In CHES 2011, 2011, pp. 143–159.

[25] Biehl, I., Meyer, B., and Muller, V.: ‘Differential Fault Attacks on Elliptic Curve Cryptosystems’. In CRYPTO 2000, 2000, pp. 131–146.

[26] Genkin, D., Valenta, L., and Yarom, Y. ‘May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519’. In ACM Conference on Computer and Communications Security, CCS 2017, 2017, pp. 845–858.